On version 6.34.2 Ping/Check Gateway is saying the route is down when it is in fact up.... Running the DHCP client Adding check gateway via routing filter Release renew to the same IP temporarily fixes the issue... In the end I had to downgrade to the stable 6.32.4 release to resolve the intermitten...
Place a routing mark on LAN 1 both subnets Place a different routing mark on LAN 2 all 3 subnets. In routes establish your WAN routes requiring that routing mark corresponding to the LAN you want routed out of it. As for communication between subnets on different LANs this happen automatically unles...
Because your WAN connections are on different routers I do not see dynamic load balancing happening. But with VLAN separation we can do static load balancing. Example of VRRP setup with 2 vlans Router 1 VLAN 2 Master Router 2 VLAN 2 Slave Router 1 VLAN 3 Slave Router 2 VLAN 3 Master So this load bal...
src-nat (Where it is coming from) <--Usually for an outbound request dst-nat (Where it is going to) <--- Usually for an inbound request Example I want to NAT in all requests to WAN IP 68.X.X.X:8080 to a device behind my router on port 80. DST-NAT TCP dstport 8080 Action dst-nat IP 10.0.0.8 dst port ...
Limit at 10 priority 7 Max 10 192.168.0.1 Limit at 10 priority 7 Max 10 192.168.0.2 Limit at "Total pipe minus 20" Priority 8 Max "Total Pipe" 192.168.0.X X being everything else So how does this work so you can tweak it..... 1. Priority 1 to 8 in order reach LIMIT 2. Anything Le...
As you may know many small sites that need redundancy currently have two ISPs and are using nat44. If all of them now have to use PI or BGP the routing tables would get huge and cause issues not to mention the costs to the end user. That first statement had no purpose other than to discourage those ...
If your concern is the 802.11B clients slowing down the Wifi speed of 802.1N clients that is going to occur at the Radio not at the router. Meaning no changes to the router can help you.
If you want to throttle the Wifi clients so Cameras have more speed them you can do this with a queue.
Okay, as understand your question is: Can I have fail-over with HOT standby that will not drop a call in progress? If that is your question the answer is NO. All connected sessions are broken when the IP address changes. Meaning all streaming music, all streaming video, all VOIP calls, and all onlin...
This is an old joke.... Assuming you don't want to secure the connection you could change the expiration time to 6 Hours and increase the pool size by a factor of 10. By the looks of it that would solve your issue. Just a thought... I wonder how it would handle you switching to a 10.0.0.0/8 and then...
The Router eats up two publics... One on WAN and Another on LAN... Then the remainder go to the clients with the LAN side IP as gateway. MAKE SURE Masquerade is OFF for these. Now due to the loss of two address on the router and the forced subnet division, this is the downside of this method. Now in...
I'm only not sure how option 2 relates to security (public IP's on my LAN!) and how to set up the internet gateway router. Does I have to make it a bridged gateway router? And set up all firewall rules on the bridge? Since the rest was answered I will try to answer this question. Firewall Filter (I...
Okay you have three options. 1. 1 to 1 Nat : Assign ALL public addresses being used to the WAN interface. Then use NAT to control what privates use those public. OR 2. Directly assign the Public Addresses : Assign one public to the WAN interface and subnet out the rest of your /24 to your devices. (...
You can't override the client device IP settings. If you did find a way to do this it would be a hack and depending on where you did this would probably be a crime. However, You can change DHCP Server to add the ARP table entry. Then change ARP on the interface in question to reply only. By doing th...
Situation 1 Assuming you have these addresses assigned to the WAN interface.... You must http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT 1 to 1 NAT Situation 2 Now if those addresses are not assigned to the WAN interface (Not an option if one must be on your routers wan). You can assign them on...
Okay step by step... Assuming you have static IP's via the DHCP client.... Do not add default route to routing table for both clients **If Ip's are dynamic you will go ahead and add the routes but use a routing filter to differentiate them and add the routing marks Add IP Pool for each local group I...
All your going to need to do is Routing mark in Mangle and run static routes that refer to those routing marks. These can be one pool or two pools does not matter.
IF the Hair pin nat rules are not working http://wiki.mikrotik.com/wiki/Hairpin_NAT please post firewall NAT rules ****Did you use the final masquerade rule on the hairpin nat page? *********Also, I know this is bad form but you could just put the DNS entry into the mikrotik for the local address.
Well I see a major issue with what you are trying.... Putting them all in the same Layer 2 does just that and puts them all in the same Layer 2. So your DHCP servers will compete with each other. Have you considered doing arp-proxy and arranging your subnets as follows: 192.168.0.0/16 (Server) 192.1...
The best advice is to tag everything as it leaves the switch going to the Mikrotik. No native on the trunk port going to the Mikrotik. So Mikrotik to Switch all tagged switch to other devices run in hybrid mode as needed. If you don't want to do that the Mikrotik's switch can do what you are asking ...
As for the remainder of your goals
1. Firewall Mangle Mark Connections
2. Firewall Mangle based on those Connection marks mark packets
3. Queue Tree Based on those packet marks queue the traffic
Okay I see the issue. You have 0.0.0.0/0 routes at distance ZERO. Distance Zero should be all your local routes and distance 1+ should be used for your out to internet routes.
At no time should a 0.0.0.0/0 DST route be distance 0.....
Ah I see the issue now those mangle rules don't exclude your local traffic. [admin@MikroTik] /ip firewall mangle> print Flags: X - disabled, I - invalid, D - dynamic 0 chain=prerouting action=mark-routing new-routing-mark=TC passthrough=yes src-address=192.168.88.0/24 1 chain=prerouting action=mark-...
Just to note the way to do this with routes only would have been ip route add dst-address=172.16.0.0/24 gateway="192.168.0.150" (You may need distance 1) Because anything going to 172.16.0.0/24 is sent to 192.168.0.150 for resolution. The router knows 192.168.0.150 is on the local bridge d...
Maybe you should explain everything. Exactly what you are trying to do. Because as is you should have no issue. The default Mikrotik firewall rules allow triggering. 0 ;;; default configuration chain=input action=accept protocol=icmp 1 ;;; default configuration chain=input action=accept connection-s...
Disable you firewall filter rules and test again if it succeeds resolve the issue with an allow above the drop that is causing the issue. Assuming that is not the issue at all.... It is possible you have a route that is hijacking that traffic. Do a print on your routes routes and post them. ******O...
Disable you firewall filter rules and test again if it succeeds resolve the issue with an allow above the drop that is causing the issue. Assuming that is not the issue at all.... It is possible you have a route that is hijacking that traffic. Do a print on your routes routes and post them. ******On...
This is a BASIC overview of how to do it. You will need the Wiki to fill in the details. Feel free to reply if you are having trouble. After setting up your DHCP address reservations you need to create address lists in the firewall. Create your 3 lists as well as the fourth list that has no access. ...
You can only allow certain address to use the internet, but if a user uses one of those addresses and performs NAT behind it... That as they say is that. So if a user performs NAT behind a valid address you won't see the MAC address of any device except the head end device. This is the nature of lay...
Without your more configuration information it is hard to answer... I would say accept packets to that server based on that IP then PASS-THROUGH=NO on NAT. This will bypass your other rules.
Why not just give out IP's to authorized devices only as well as using arp-reply only and dhcp server add arp. OR setup a pool with let say 10 IP's and expire then after 1 hour. I know you want 8 devices max but if they exchange a device you have a little coverage. OR Have you considered breaking th...
Under the Queue Tree that is applying to ALL users as a collective. Remember limit allows highest priority queue to reach limit first. After all queues are at limit then highest may go to max limit. If you want to set individual user limits that is set in queue type PCQ. Then you would select that q...
Well if you can't get to port 80 with mikrotik firewall off and port 80 service on in the router. Meaning if the routers port 80 page does not come up from the outside....
For testing purposes I would enable port 80 service on the Mikrotik... Test it internally Disable the firewall.. Test it externally. My guess is the external test will fail because an ISP issue is blocking that port... *****Have you Considered redirecting another port to port 80 from the outside? Ex...
Assuming they are independent master ports and are not assigned to the same bridge. What you did looks good. Regardless this is what I am doing and I know it works. Network Setup 10.0.0.0/22 Office (Protected Secure Network) 10.255.1.0/29 Printer (Office and other networks need access) 10.1-5.X.X/22...
Example IP FIREWALL NAT add action=dst-nat chain=dstnat dst-port=80 in-interface=WAN protocol=tcp to-addresses=10.0.0.2 to-ports=80 With this rule a web browser going to your URL will be forwarded to the web page for 10.0.0.2 instead of the router.... Also under IP Services Disable www port 80 and t...
While Mikrotik has a switch chip... It is no substitute for an actual managed switch. Add your VLAN Interface in INTERFACE Your switch will need to have default vlan set to 2 for those ports change mode to fall back. Leave as always strip. Now head to dhcp server and you will see the VLAN interface ...
Have you tried leaving DST address empty and selecting Input Interface instead? I'm pretty sure that's what I'm doing now. This worked perfect for me.... My smartphone on sprint network resolved my wan ip 72.x.x.x:4444 to a Ubiquiti NSM5 under my mikrotik router. add action=dst-nat chain=dstnat dst...
In a Queue tree you have a parent queue and child queue. Place your high priority PCs IP in the High priority child queue. Have a high limit at rate set. Then place everything else in the low priority child queue.
However when considering.... You could do PCQ with a VERY High max limit but put in the minimum limit at rates you want to have reserved for you priority queue.
I think the issue is the two local hops in your dns. Have your Windows DHCP server direct DNS directly to the router 172.16.1.1 instead dhcp server relaying you over to it.
I am unclear as to what the goal is... Are you wanting to NAT multi local address out of all of them and balance? Are you wanting to NAT 1 to 1 some of them and multi out one? ***Assuming what you want is something like this... Assign all the Public IPs to Router A wan port. Then setup NAT rules to ...
You have 3 methods to choose from... I suggest you use which ever you are most comfortable with. 1. PPPoE http://wiki.mikrotik.com/wiki/PPPOE_Server 2. DHCP This is what you do now except with public addresses NO NAT, NO Masquerade. 3. 1 to 1 NAT http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT ...
Yes, Your going to use Mangle Mangle based on Src-address each subnet with a routing mark. Routing mark can be anything example Wan1, Wan2, and Wan3. Now that packets are marked the next step in IP Routes Put three any address routes in (0.0.0.0/0) referring to the gateway you want to use. Also don'...
Just to provide more info http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features You will notice that the mikrotik switch chips are different across most models... Head down to the final section Example - 802.1Q Trunking with Atheros switch chip in RouterOS v6 In here you read this works with AR8...
Well in effect limiting can reserve as well... If the limit is set below the max limit of your connection and you not reserved some bandwidth. Please review this http://wiki.mikrotik.com/wiki/Manual:Queues_-_PCQ It will probably lead you to the solution you are looking for... If you did not mean per...
Mikrotik for the most part does not have that developed a switch chip. As far as I have seen to run native Vlan untagged it must have been tagged once it arrives back at the router... So you need a switch to handle that tagging on trunk and untagging on native ports. The 260GS works fine. So handle ...
This is the rule I just tested and port 80 connects perfectly through my routers WAN to my LAN device at 10.0.0.2. I put my WAN address in the browser to test it from my smartphone. add action=dst-nat chain=dstnat dst-port=80 in-interface=Ether1-Gateway-TW protocol=tcp to-addresses=10.0.0.2 to-ports...
Also to be clear an enslaved port is L2 connected to the master and all remaining slaves. Thus an L2 request that does not require the Router will be forwarded by the switch and ignore all the rules as they are L3.
I believe port 2 is the master port by default so you may want to use port 5 instead.... Steps 1. Interface - Un-enslave port 5 2. Firewall - Nat - Duplicate Masquerade rule and change port to 5 3. Interface - Add PPPOE client to Port 5 ***Notes*** You will probably not want to add default routes fo...
Are the NAT rules for the PPPoE connection auto populating? I have DSL Connection that is PPPoE up in a mikrotik as a route for one of my VLANS. It is working just fine. I am doing the same thing you and and not adding the default route. Then using routing marks to direct the traffic to the connecti...
It will remember the detection for the remainder of the lease. If Mikrotik A goes down and Mikrotik B needs to hand out an IP to a client it broadcasts to detect if the IP is in use. The response carries with it the lease time and it add that lease with the lease time to the table. So if the client ...
The router will issue the client an IP from its pool regardless of the client previous address. If it is possible that you could run out of addresses then make you pool bigger or have a spill over secondary pool. If the original come back online and some of its pool are in use issue by the second ro...
DHCP Server
Add both but assign no pool to 192.168.2.x
Under leases add statically the leases you want the 192.168.2.x server to hand out. (You will need end devices MAC address)
Okay to solve your first issue... I use these two filter two solve two of my issues. Both of these seem to be your first issue.. Rule 1 adds the check gateway function to a dynamic route Rule 2 drops the route if it gets an IP within range 192.168.100.0/24... Normally if the modem has connectivity i...
Sorry for delayed response have been out of town at the Wispa convention. 1. It would seem that I can only ping over the tunnel if I receive a ping from the other end first - is there something I may have overlooked or missed here? Check your firewall rule... Add a rule and exempt this traffic. 2. ...
It seems to me you would want to use both of these rules..... /ip firewall nat add chain=dstnat dst-address=11.11.11.1-11.11.11.254 \ action=netmap to-addresses=2.2.2.1-2.2.2.254 /ip firewall nat add chain=srcnat src-address=2.2.2.1-2.2.2.254 \ action=netmap to-addresses=11.11.11.1-11.11.11.254 WITH...
Yes the key action is Netmap Your chain would be srcnat or dstnat based on the direction your are going (Yes to source and dst address as well). You will need two rules for it to map both directions. The example in the article is really good. /ip firewall nat add chain=dstnat dst-address=11.11.11.1-...
Here is how to do it by port 1. Change master port of VOIP device port to none (Unless it is the mater port if this is the case use a different port for it) 2. Address - Assign a different IP address to the port VOIP is plugged into. 3. Assign your dhcp server to that port 4. Setup a simple queue re...
enslaved ports only show up under the master. Since you are setup that way you can't do it by port since you have them all on the same L2 switch. You will need to specify the devices by IP address.
Assuming this is the business environment and you own and control all PC in the office.... You need to remove/restrict access to Internet Properties/Internet Options in the control panel. Otherwise you are going to be on an endless journey of banning proxy server after proxy server.... Forever fight...
1 I would write down your isp dns server address. 2 Then disable use peer dns in the DHCP client. 3 Goto IP DNS and put the servers you want to use in manually. (They will be used in that order) (I use google 8.8.8.8 and 8.8.4.4) 4 Make sure your dhcp server assigns your network the routers address ...
Assign 192.168.2.1/24 to the interface that it is plugged into. Then the router will build that route into the routing table and you can reach the device from the other network.
@tws101 You are wrong, there is a difference between 'action=passthrough' and 'passthrough' property. passthrough (yes | no; default: yes) - whether to let the packet to pass further (like action passthrough) after marking it with a given mark (property only valid if action is mark packet, connecti...
Two ways to do this. 1. (I would not use this method) a Use Mangle with action add to address list b Setup the routing mark for that address list 2. (I would use this method) a Use mangle to mark an address range with routing mark b Remove that address range from the DHCP pool c Add static address a...
That is not my understanding. I understand that the addresses you would be assign would be rout-able and reachable only through the provider they link back to. Meaning if my provider TWC IP address was assigned to clients and that gateway goes down the client would need a new IP address from ATT or ...
I currently have a 750gl setup for dual wan using ATT and TWC as the isps. Since we have locally assigned IP addresses this works fine. How will this work when we switch to IPv6? Currently my route table handles the requests from different VLAN to different ISPs. Certain subnets go to one or the oth...
It would not be correct making that bridge. In order to make an upload queue for WAN2 you need to mark the packets separably and create a different queue tree for them. Example IP Firewall Mangle Chain=forward sourceip=X.X.X.X(local) output interface=wan2 Action: Mark Packet=Upload WAN2 Then make a ...
Two ways you can do this.... 1. Load Balancing based on source IP (Easy) 2. Round Robin load balancing (Complicated) Method 2 has plenty of guides regarding it and uses a ton of rules. I will quickly address method 1. Using IP Firewall Mangle we will mark packets from specific IPs with a routing mar...
IP Firewall Mangle Chain=prerouting put in the source IP address go to action tab Mark routing Insert name of routing mark (Make a name up) Ip route distance=1 dst-address=0.0.0.0/0 gateway="Ip of destination router) routing-mark="The name you made up in the first rule" pref-src=0.0.0...
Source would be 2.2.2.0/24 also the second line you have routing mark="Name" "Name" need to be the name of the routing mark... Which from the first line is "Public". The first line tags traffic with a mark that you name. The second rule tells the router where to send th...
The routing marks need to be on the head end router. NAT exemption must be on both.
Also are your vlans bridged between WAN and LAN on the head end router? Do you have one WAN interface on the head end router with both connection in as VLANS or do you have 2 physical interfaces in use?
You have over complicated this. DO NOT BRIDGE ANY OF THEM.
Under ETH2 Interface set its master port to ETH1. Now ETH1 and ETH2 will be on the same switch. ALSO you don't need to have the VLAN interfaces on ETH2 anymore, the interfaces on VLAN 1 will take care of it all in this configuration.
1. Make sure you routing mark the packets from the /24 in IP firewall mangle.
2. Make sure you exempt them from NAT
3. Make sure your default route for them has the routing mark from step one.
I suggest you Mangle the packets marking upload and download packets then queue tree them. Simple Queue are not specific enough. Example from my RB IP Firewall Mangle add action=mark-packet chain=forward comment="Download Office" disabled=no dst-address=10.0.0.0/16 in-interface=Ether1-Gate...
2 things 1. IP Firewall Mangel 2. IP Routes (Make these changes in Winbox, this is not exact code) IP Firewall Mangel Add Action Routing Mark="Create Name" SRC=192.168.200.172 Ip Routes Add Route 0.0.0.0/0 DST=192.168.254.16 Routing Mark Required="Same name you created above" Dis...
Okay at L2 on Mikrotik no you can't do that. However you can: 1. Deny by mac the TV a DHCP address 2. subnet it out on its own port 3. create a second DHCP server with one reserved IP address for it on that subnet 4. Enable 1 to 1 NAT to allow broadcasts (Enable and disable when you need to allow/de...
The src-nat replaces the source address... I think you need the netmap rule
netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks
1. In the DHCP server give the TV a static IP 2. In the firewall drop the forward chain for the TV's IP (Enable/Disable this rule as needed) 3. Tell the kid if he attempts to subvert your will again, that he will burn in perdition's flames. If the issue is not internet access but network access inst...
If I understand you correctly. We want internet access to go out via a specific WAN port but local traffic to use both WAN ports. The solution was NOT NAT. You need to mangle the packets and add some routes. You will need to restore some of your original NAT rules. Ip Firewall Mangle Chain=Forward s...
I would not split those public IP into smaller subnet because you have so few of them. I would assign this 123.xxx.119.193/29 to the eth interface the customer is on tell them which two they can have from that range you have 194-198 left over. Make sure you exempt 123.xxx.119.193/29 from NAT and Fir...
Your not going to get 100 Full Duplex out of Mikrotik wireless equipment in real throughput. For that powerful a backhaul you are going to pay for it. Estimated costs are $2500 for the complete link (if this isn't an outdoor long distance link find a way to wire it). If 100 full duplex is a must and...
Have you considered tagging the traffic normal internet traffic and the incoming traffic with different routing marks. Adding routing filter to modify your dynamic route then editing your other route?
What protocols are being developed to Multihome without using BGP in IPv6? ****In case that question is not understood I am providing more information**** Reference http://www.theipv6experts.net/2011/enterprise-multihoming-ipv6/ My current setup 2 Gateways (Load balancing and redundancy) (VLAN 1-3 t...
I would say it probably is a provider problem... however I am hoping someone else will respond to this thread and say otherwise as I would like to know for sure.
Your issue with one connection not re-establishing is normal if your provider is ATT. I have it all the time. I have a TWC connection and an ATT connection. ATT never comes back up properly after a reboot. For me they are a cheap backup so I keep them around.
1. Okay first lets remove Ethernet 4 from the switch under interfaces change its master port to none. Interface - Edit Ethernet 4 Edit change master port to none This is removing Ethernet 4 from the switch interface. 2. Ip Addresses assign a public address to Eth4 and apply the network range IP - Ad...
1. Okay first lets remove Ethernet 4 from the switch under interfaces change its master port to none. 2. Ip Addresses assign a public address to Eth4 and apply the network range 3. Firewall mangle prerouting src=public network range action=apply routing mark "Public" 4. Firewall nat EDIT d...
Okay after further research I think I have found the issue. We are losing the VLAN tags when the packets go through the router to the bonded interfaces. Lets re-tag them in the RB switch. Switch Rule Select ports and IP range Action New VLAN ID. I have not tested this but you may need to add the VLA...
Enslave the other interface Example Ethernet 5 has VLAN 10 and VLAN 20 Now we want to add Ethernet 4 to this. Select Ethernet 4 and specify a master as Ethernet 5. (Now Ethernet 4 and 5 and VLANS on both are connected) Remember Mikrotik will automatically try and route between vlans. You will need t...
Add the queue under Queue Type one for up and one for down. Then when you create the simple queue on the advanced TAB select your PCQ queue under the queue type drop box. In the simple queue the max rate is the cap for the total connection. U Example Simple Queue Maxrate 1M PCQ max 512 2 users conne...
okay bonding the interfaces on the two RB was the correct thing to do for load balancing and fail over. Now to make it transparent L2 bridge... This will get your VLANS across. Login to the AIROS of the Rocket WIRELESS TAB WIRELESS MODE WDS (Access Point WDS or Station WDS respectively) [If you are ...
The Mikrotik router is not a VLAN switch. You need a switch working in concert with the router to accomplished this. As a general rule the Mikrotik does not tag anything. It just handles tagged traffic. Your switch should tag all traffic going to the Mikrotik on the trunk port. A cheap model is the ...
Those dst addresses are your servers static ip addresses. What do i have to change anything in "dst-address"? And why is there a second? Code: add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=ether3 add chain=prerouting dst-address=192.168.2.0/24 action=accept in-...
I think I found the issue and I am sorry this took so long. The issue is when a client contacts the sever on the second connection the server is responding on the first connection. I am posting information from my earlier post below it has your answer. In the post below notice how the mangle rules i...
Apple owns the entire 17.0.0.0/8 most things are located there. To be certain you get it all connect to the services you want to redirect and monitor the IP address that you connect to. Start by blocking (Black hole the traffic with a route) them and keep retesting until you get them all black holed...
Okay for LAN 3 you need to mark those packets IP/ FIREWALL / MANGLE prerouting source address X.X.X.X/X (corresponds to the LAN 3 IP range) Action mark routing "Any Name" Now you add your route IP / Routes dst 0.0.0.0/0 Gateway "The IP for second gateway" Routing mark "The n...
Edit your /IP routes Remove the Dynamic PPPoE ADSL remove and add it as static use the check gateway option (distance 1). If the route fails it is removed. Add a new route to your VPN at distance 2 (route will only be used if dsl goes down) This is all assuming you can each the VPN on some alternate...
That is incomplete only 8 rules coming up... You need to show them all as I am assuming you have some rules toward the bottom that are dropping input on your first dsl connection.
From what I can see it all looks perfectly fine. However I assume the issue must be with some vestigial firewall rule that is left over from before your changes.